Researchers at Cluster25 have identified a new campaign that is using a new code execution technique that relies on mouse movement. The campaign leverages a PowerPoint document and requires the victim to hover their mouse over the malicious link in the document for the attack to begin. Once the mouse hovers the link, a malicious PowerShell script is triggered which in the end delivers the Graphite malware. Attacks have been seen as recently as September 9th.
This campaign has targeted victims within the defense and government industries. With low to moderate confidence, researchers have attributed this attack to Fancy Bear or APT 28, a Russian state-sponsored threat group behind several attacks in the past. This attribution was based on code and target similarities that were seen while researching the campaign. The malware used in the attacks, Graphite, is used to install other malware into system memory on the victims’ machines. It was documented in January 2022 by researchers at Trellix. A more detailed infection chain can be found in the source article.